We advise our merchants to not use wireless technologies in our documentation and state the if they do decide to use it, there are many considerations and they should seek the advise of a security assessor. We are not a security assessment firm, nor to we claim to be.

I received the following response from Visa on a pending audit report: "6.1.c wireless can be used however, how is the guide addressing this? Simply stating do not use does not address the intent of this requirement, it is to address that if a customer does use it do they have adequate recommendations on how to do so securely."

Our recommendation is not enough and now they are asking us to act as a security assessor for our merchants? How much detail are they asking here? Access point model numbers, firewall configurations.

I feel we are being required to provide idiot proof and secure wireless setup documentation even though we recommend not using wireless. Should we include a Setting Up Secure Wireless Infrastructure for Dummies book with our user documentation? (do they make one?)

Any thoughts?

I'd start with the Wireless FAQ Aegenis included in their latest newsletter. Check their website for a link.

So do you have any idea on what Visa is asking for here in regard to this particular PABP audit report? Are they asking we include this referenced FAQ in our user documentation? If so, will a link suffice since it is copyrighted material?

start with your assessor, they should be able to give you some guidance on your report, what is their take on what you need to provide? I'd think referencing existing resources on secure wireless should be sufficient.

Steve,

I truly feel your pain as we too got hit with this several months ago during a PABP validation effort. We waited 45 to 60 days than got the request from Visa to clarify how to we would deploy our application in a wireless environment even though we clearly stated in the PABP Implementation Guide that wireless is not recommended, supported and the use of such technology may invalidate the clients maintenance contract.

To paraphrase one of our 'big brains'; it's like telling the client that they should not use a lawnmower on their Astroturf, but if they choose to anyway against our recommendations... here is how we suggest you discard our recommendation.

We got through it with documentation and ended up back in 45 to 60 day waiting pool. Incredibly frustrating is being polite. :mad:

I will give you a follow up call this week to discuss how we sucessfully addressed this situation.

As a previous poster has suggested here, check out this article:
http://www.aegenis.com/UserFiles/File/Reports%20and%20Papers/PCI%20DSS%20Wireless%20Security%20FAQ.pdf

---Food for thought---
My understanding is that a bad wireless security may have led to the TJX event... as a technologist, I'm sure you understand as software developers, there is no way to 'prevent' a client from implementing wireless in their environment. Therefore, I am told, Visa wants to you to CYA in the form of documentation.

Tim

I had assumed that referencing the specific sections in PCI DSS and stating that they must be complied with would be sufficient is wireless operation is contemplated, in addition to the recommendations mentioned.

Or simply stating that wireless usage will invalidate PABP in BIG LETTERS.
lyalc

start with your assessor, they should be able to give you some guidance on your report, what is their take on what you need to provide? I'd think referencing existing resources on secure wireless should be sufficient.Our assessor thought we had it covered.

To paraphrase one of our 'big brains'; it's like telling the client that they should not use a lawnmower on their Astroturf, but if they choose to anyway against our recommendations... here is how we suggest you discard our recommendation.
I use a similar analogy: For someone with appendicitis, should we hand him or her a knife and map out where the appendix is or would it be better to tell the person to seek the advice of a doctor? In the medical world, the former would be considered malpractice.

Anyway, we're going to try a different approach. We're going to include a copy of the latest PCI requirements in our documentation -- hopefully we won't step on toes with copyright issues.

After reading this, i'm really IRKED, to put it mildly. I have been assigned to write-up our PABP Implementation Guide and I had put in areas where we DO NOT RECOMMEND and if our customers should feel the inclination to go against our recommendations to follow the latest PCI-DSS docs at section blah blah and gave a web <link>...

So you're telling me that VISA will NOT accept that? I've been referencing the PCI-DSS & PABP docs throughout my IG with a little blurb on how to apply to our software. You're telling me I have to re-edit?!!!!! F that!

When this thread was started, VISA was the final entity approving or denying the PABP reports -- now the PCI Security Standards Committee is the overseer. I don't know if this makes a difference and I have not had the "pleasure" of dealing with them yet on this topic.

Wireless is allowed under the PA-DSS. The proviso is that that if an application vendor is delivering a solution that relies on wireless, the application vendor is responsible for dictating to the customer how to implement the wireless securely.

If wireless could be implemented but is not provided or dictated by the vendor, then the customer is responsible for ensuring the wireless is secure.

Jeff,

Reread the thread. What you posted here is how I interpreted the rules but at the time, Visa had a different interpretation. The issue here was that our driver did not use wireless technology and in our documentation we specifically stated that wireless technology should not be used in the payment environment where our driver was to be used and we referred to the PCI rules on wireless. This was not good enough and was rejected. The reason for the rejection was someone at Visa determined that since wireless devices could be used (even against our recommendation), we had to document to the merchant how to securely configure the wireless network.

Again, PCI-SSC is now in charge of this so I don't know their interpretation of this topic.

That is the current interpretation as I'm aware from the PCI SSC.

I am both a Certified Wireless Network Administrator (CWNA) and a Certified Wireless Security Professional (CWSP) and can't understand the security link between a PCI-DSS application and a Wi-Fi access service.

Wi-Fi security for PCI-DSS environments {Requirement 2.1.1 (a) and (b)} requires "strong encryption technology for authentication and transmissions". To the Wi-FI security professional, this means WPA2 security with 802.1x using some variation of EAP for authentication and AES for encryption. Anything less is hazardous.

All of which has absolutely nothing to do with an application running in the merchant's PCI-DSS environment, since the application is at the ISO layer 7 while Wi-Fi is at ISO Layer 2 & 3. Neither have any possible influence over the other.

The second issue for Wi-Fi is the use of intrusion detection/intrusion prevention systems (Requirement 11.1) to detect rogue access points that could potentially open up unauthorized access to the merchant's PCI-DSS environment.

The PCI DSS is predominately a network security based standard, so wireless security is very relevant. It is even more relevant because the majority of large retailers have implemented one or more wireless solutions for POS.

Most of the wireless in use that transmits cardhodler data (CHD) is not your typical client to concentrator type of implementation, it is in creating a wireless bridge from a network of POS from one location to another location. Wireless bridges can be adequately secured by ensuring the APs 'dead end' at their respective networks and that the APs only provide a conduit for an IPSec or TLS tunnel between the POS and server.

Where retailers do use wireless in a client to concentrator approach, most are proprietary systems (non-802.11 standard) that use a key rotation strategy and require a vendor maintenance agreement to obtain drivers and software. Not perfect, but also not readily hackable since they are not 802.11 solutions.

Where retailers have implemented 802.11 solutions, most are old enough that they are using WPA and TKIP. However, a mitigating control is that most of these solutions that I've reviewed do not leak outside their facilities. So you would have to be inside their facility with a PC to compromise them. And since they are not a Starbucks, you would stick out like a sore thumb as you tried to compromise their network. Where I have had clients that allow people to congregate with PCs, we recommend using WPA2 with enterprise authentication implemented such as 802.1x.

Steve,
I am quite frankly in disbelief at their response. Should you also be responsible for telling your clients how to securely use an IPOD or other mass storage device....just in case they decide to use one? I certainly think it is sufficient to say...."Hey Mr. or Ms. Merchant...don't use wireless. If you want to use wireless contact a QSA or other security professional".

Strange response from them.

...."Hey Mr. or Ms. Merchant...don't use wireless. If you want to use wireless contact a QSA or other security professional".
That was almost our exact wording. Since this incident we've had two additional reports go through the process and this issue did not come up. Maybe it was just an overzealous auditor on Visa’s side at the time? Or the auditors at the top read forums like this one and rethink their stance? Who knows???

They've had a lot of turnover at Visa in the PCI compliance area, so I would write it off as a 'newbie' being over zealous. Hopefully, calmer heads will prevail.

However, it continues to amaze me at how mindless even some technical people can be when it comes to wireless. The best one was a friend of mine who has very secure wireless at home and does a great job for his customers securing their wireless. Then he complains to me that he got his notebook hacked at a coffee shop using their unsecured wireless. Go figure!?